545212013-02-04 10:54:16 +0000DigestAuthenticator: nonceCountValid() fails in case of simultaneous asynchronous requests of the same client2013-02-08 08:41:43 +0000111UnclassifiedTomcat 7Catalina7.0.35PCAllRESOLVEDFIXEDP2normal---1sven.stieberdev0oldest_to_newest1650450sven.stieber2013-02-04 10:54:16 +0000Concerned components:
org.apache.catalina.authenticator.DigestAuthenticator
org.apache.catalina.authenticator.DigestAuthenticator.NonceInfo
Scenario:
A multithreaded client sends two requests within one millisecond. The DigestAuthenticator creates for each request a nonce as well as a NonceInfo instance. The two nonces are equal, as they were created within the same millisecond. When writing data into the cache (method generateNonce()), the second NonceInfo instance overwrites the first one (same key!).
Problem:
The two client threads then send a second request with a digest authentication header. In both requests, “nc” (nonce count) is equal “1”, as the nonce has been newly created. In the NonceInfo of the first request, array “seen” is set to “true” for index ((nonceCount + offset) % seen.length). In the second request the same NonceInfo instance is used, as the instance is retrieved from map “nonces” using “nonce” as a key, that is, in both requests the same key is used. Consequently, method “nonceCountValid()“ returns „false“, as seen[(nonceCount + offset) % seen.length)] has already been set to „true“. Therefore the authentication fails, although the client has sent a valid digest authentication header.
Conclusion:
Working with multi-threaded clients with many requests, digest authentication does not function reliably.1651151markt2013-02-07 11:03:58 +0000Thanks for the report.
This has been fixed in trunk and 7.0.x and will be included in 7.0.37 onwards.1651312sven.stieber2013-02-08 08:41:43 +0000Thank you for fixing this that quick. One additional question: Will this fix be included into the next Tomcat 6 Release, too?